An authorization in one bag - Radius Server + LDAP
Why one bag is better than several?
People do not like when they have to remember something! It does not matter what it is - passwords, dates, deadlines. They like the simple life and shortcuts. Typical administrator can say that for passwords you can use password safe application like KeePassX, but it does not resolve the problem. Imagine that (for example) Mrs. Helen from HR is scatterbrained and she removed KeePass database and forgot her passwords. What would you do then? Change of all Mrs. Helen’s passwords would be problematic for administrator ;) Is there a solution? Yes, it is The solution assumes that the problem may be solved by one password for everything. However if this password will be set for each service separately, it will not work. The solution requires a database for authorization of every user and a system for management.
FreeRadius with LDAP authentication
FreeRadius is the most popular free implementation of a RADIUS server. It can be used for user authentication across multiple services, not just Wi-Fi network. An example of such use is access to a VPN. Therefore, in this part of the cycle, there are little elements directly related to the Wi-Fi networks. However, the mere connection of the network infrastructure (AP) to the authentication server is not complicated.
The main advantages of FreeRADIUS software are:
- high potential and versatility,
- flexibility in configuration.
The software does not have special installation requirements. Typically the server handles certain domains (i.e. performs authentication and authorization of users of these domains). However it is necessary to use secure connections, so the OpenSSL package is required. In a situation where the server acts only as the proxy, then SSL connections are not implemented. Generally, it is Chai process of authentication, i.e. authorization and accounting work with selected database. According to the dependences you have to install packages such as:
- OpenLDAP - if you use LDAP for authentication / authorization (and you do not use commercial LDAP software)
- MySQL, Postgres - database software.
If you want to use scripts written in Perl or Python, you have to ensure that these packages were installed and available during the installation of the software.Configuration and administration of FreeRadius server is quite complicated, as the developers themselves admitted in the documentation. However, it is not due to inadequately designed model configuration, but from the fact that FreeRadius is a very powerful system which allows you to create complex and advanced solutions. For this reason, the most common mistake is trying to implement a large number of modifications in configuration files at once without testing them one by one. You have to remember that you should modify only the elements that you really understand. Getting started with the FreeRadius server is not complicated and has been substantially simplified by providing the extensive default configuration which fully sufficient to the basic usage. However, it is important that the capabilities of this technology are enormous.